MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01
SHA3-384 hash: 5a9f4ce323cce04d2dd03bdc31683767dcd1ab2d8a09d9e2b9707235f4a08dae7d3aed166c55f875ebc6cf098870391d
SHA1 hash: d620a0b55b646b3eb69b352088d78f35ed9879fd
MD5 hash: efc3d61b0b1678ed76c4681908c14622
humanhash: fanta-twenty-mexico-spaghetti
File name:efc3d61b0b1678ed76c4681908c14622.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:3'118'080 bytes
First seen:2025-02-26 09:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Dg9aZOwxK70mTBwyuvk8VXE+Yk2P4NOqEJya2p0Oalo1:Dg9aswxaLTBwyuvzBNufW9
TLSH T142E53AA2A409B1EBD4DA27F45517CD46985D03BA0F214DC39C78A879FEA3CE11EF9C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
efc3d61b0b1678ed76c4681908c14622.exe
Verdict:
Malicious activity
Analysis date:
2025-02-26 10:18:30 UTC
Tags:
lumma stealer themida loader amadey botnet evasion telegram credentialflusher gcleaner auto generic rdp vidar
Link:
https://app.any.run/tasks/ade0a6f4-e105-4c09-a64c-528ab4d53f73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bed89428ab76d43a5d3adf
Tags:
shellcode virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67bed837298112176da11a67/reports/e623ebb8-6a67-4f47-8471-5734cd19690e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/da857719-f68f-43ff-bc4c-49a4bbfab88b
Result
Threat name:
ScreenConnect Tool, PureCrypter, Amadey,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624477
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops large PE files
Drops PE files with benign system names
Enables network access during safeboot for specific services
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies security policies related information
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Possible COM Object hijacking
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1624477 Sample: LG8Z32b05e.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 142 Found malware configuration 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for URL or domain 2->146 148 23 other signatures 2->148 10 msiexec.exe 2->10         started        15 rapes.exe 4 37 2->15         started        17 LG8Z32b05e.exe 14 2->17         started        19 9 other processes 2->19 process3 dnsIp4 106 199.232.214.172 FASTLYUS United States 10->106 88 C:\Windows\Installer\MSIF9.tmp, PE32 10->88 dropped 90 C:\Windows\Installer\MSIE537.tmp, PE32 10->90 dropped 92 C:\Windows\Installer\MSIE2A5.tmp, PE32 10->92 dropped 102 105 other files (98 malicious) 10->102 dropped 200 Enables network access during safeboot for specific services 10->200 202 Modifies security policies related information 10->202 204 Drops PE files with benign system names 10->204 21 msiexec.exe 10->21         started        36 3 other processes 10->36 108 176.113.115.6 SELECTELRU Russian Federation 15->108 116 2 other IPs or domains 15->116 94 C:\Users\user\AppData\Local\Temp\...\mbg.exe, PE32+ 15->94 dropped 96 C:\Users\user\AppData\Local\...\q3na5Mc.exe, PE32 15->96 dropped 104 12 other malicious files 15->104 dropped 206 Contains functionality to start a terminal service 15->206 23 q3na5Mc.exe 15->23         started        26 VBUN8fn.exe 15->26         started        29 e0aba8f335.exe 15->29         started        38 4 other processes 15->38 110 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 17->110 112 176.113.115.7 SELECTELRU Russian Federation 17->112 114 172.67.169.190 CLOUDFLARENETUS United States 17->114 98 C:\Users\user\...\RKLW2Z2X8EFTBS2085.exe, PE32 17->98 dropped 100 C:\...\D6B92113RS2707Q389KK1SCSLTTOPW0.exe, PE32 17->100 dropped 208 Detected unpacking (changes PE section rights) 17->208 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->210 212 Query firmware table information (likely to detect VMs) 17->212 220 7 other signatures 17->220 31 RKLW2Z2X8EFTBS2085.exe 13 17->31         started        33 D6B92113RS2707Q389KK1SCSLTTOPW0.exe 4 17->33         started        118 3 other IPs or domains 19->118 214 Changes security center settings (notifications, updates, antivirus, firewall) 19->214 216 Reads the Security eventlog 19->216 218 Reads the System eventlog 19->218 40 5 other processes 19->40 file5 signatures6 process7 dnsIp8 42 rundll32.exe 21->42         started        150 Multi AV Scanner detection for dropped file 23->150 152 Attempt to bypass Chrome Application-Bound Encryption 23->152 154 Injects a PE file into a foreign processes 23->154 46 q3na5Mc.exe 23->46         started        49 WerFault.exe 23->49         started        120 188.114.97.3 CLOUDFLARENETUS European Union 26->120 156 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->156 158 Query firmware table information (likely to detect VMs) 26->158 170 4 other signatures 26->170 51 e0aba8f335.exe 29->51         started        53 WerFault.exe 29->53         started        122 185.215.113.115 WHOLESALECONNECTIONSNL Portugal 31->122 160 Detected unpacking (changes PE section rights) 31->160 172 6 other signatures 31->172 74 C:\Users\user\AppData\Local\...\rapes.exe, PE32 33->74 dropped 162 Contains functionality to start a terminal service 33->162 164 Contains functionality to inject code into remote processes 33->164 55 rapes.exe 33->55         started        124 172.67.154.209 CLOUDFLARENETUS United States 38->124 76 C:\Users\user\AppData\Roaming\nahprot.bat, DOS 38->76 dropped 174 2 other signatures 38->174 57 cmd.exe 38->57         started        59 msiexec.exe 38->59         started        166 Contains functionality to hide user accounts 40->166 168 Found direct / indirect Syscall (likely to bypass EDR) 40->168 61 conhost.exe 40->61         started        file9 signatures10 process11 dnsIp12 78 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 42->78 dropped 80 C:\...\ScreenConnect.InstallerActions.dll, PE32 42->80 dropped 82 C:\Users\user\...\ScreenConnect.Core.dll, PE32 42->82 dropped 86 4 other malicious files 42->86 dropped 176 Contains functionality to hide user accounts 42->176 126 149.154.167.99 TELEGRAMRU United Kingdom 46->126 128 116.203.10.65 HETZNER-ASDE Germany 46->128 130 127.0.0.1 unknown unknown 46->130 178 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 46->180 182 Tries to harvest and steal ftp login credentials 46->182 198 2 other signatures 46->198 63 chrome.exe 46->63         started        132 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->132 134 104.21.32.1 CLOUDFLARENETUS United States 51->134 184 Query firmware table information (likely to detect VMs) 51->184 186 Tries to steal Crypto Currency Wallets 51->186 136 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->136 188 Multi AV Scanner detection for dropped file 55->188 190 Detected unpacking (creates a PE file in dynamic memory) 55->190 192 Contains functionality to start a terminal service 55->192 194 Drops large PE files 55->194 196 Suspicious powershell command line found 57->196 66 powershell.exe 57->66         started        68 conhost.exe 57->68         started        84 C:\Users\user\AppData\Local\...\MSID297.tmp, PE32 59->84 dropped file13 signatures14 process15 dnsIp16 138 192.168.2.7 unknown unknown 63->138 140 239.255.255.250 unknown Reserved 63->140 70 cmd.exe 66->70         started        process17 process18 72 conhost.exe 70->72         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 08:59:11 UTC
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lubdgkak7msngdum2ujpjkf6isbjop7wd3qcnddrpneddmd4nyaq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250226-kyj5hatkx2/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
c2 lumma_stealer stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/f6f68868-37d7-4c64-a801-5486ad0eaf3b
Unpacked files
SH256 hash:
5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01
MD5 hash:
efc3d61b0b1678ed76c4681908c14622
SHA1 hash:
d620a0b55b646b3eb69b352088d78f35ed9879fd
Link:
https://www.unpac.me/results/4f469e3d-670d-462f-9741-eca394d7434c/
SH256 hash:
81a10f2dd079224a50895bf2d294a6daf947a668f22845a8522f35ddf78d021c
MD5 hash:
11ddc476e2ecf5d9ae2736192ffb3eb4
SHA1 hash:
37e6ef37d7cf430d0700ddc1dd54e5124abab985
Link:
https://www.unpac.me/results/4f469e3d-670d-462f-9741-eca394d7434c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452044/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments